2013-04-21 - Connect the dots
Meet Safe Pack (v2.0)... Again :)
A "new" pack is advertised on underground. Thanks Kahu Security for locating and providing initial image of the advert.
In fact I faced it before seeing the advert, and reading it really puzzled me.
Initial advert for SafePack as spotted by @KahuSecurity |
What i faced was not matching this at all.
No CVE-2011-3402 (Duqu like fontdrop), no CVE-2013-0634 (LadyBoyle), no CVE-2013-1493
So I was kind of lost...This advert could be for Popads or Old version of Cool EK but not for what i saw.
But...going back checking if I could find more information :
Updated Advert - more realistic :) |
Ok. Sound better !
Here is btw the image that we are supposed to see in the advert :
Screenshot Provided in the advert |
And now here is what i faced :
CritXPack for sure ! hum... |
As CritXPack was kind of calm past days...i checked :
Safe Pack v2.0 Login Screen |
I see two explanation :
1- CritXPack (Formerly Vintage Pack) is now called Safe Pack v2.0
2- Safe Pack v2.0 is a rip of CritXPack...
Don't know for sure...based on initial advert + ProHack's other posts I bet for option 2.
Anyway won't make a full review of this pack.
As i was not aware of CVE-2013-1493 in CritXPack I tried that against Safe Pack v2.0
And yes...you are safe with java 7u15 and 6u41.
Chances are low to see major updates on this pack.
<edit1 2013-04-26>
</edit1>
<edit1 2013-04-26>
Safe Pack v2 - Private version of CritXPack now gone into commercial sales (?) |
<edit2 2013-06-06>
Seems like it has been renamed FlashPack.
Not a fork. It's the same thing.
Little modification in the pattern :
GET http://62.76.188 .7/c1905hfosv/bods2903bue/index.php?id=5520563456
200 OK (text/html)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/js/js.js
200 OK (application/x-javascript)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/gate.php?ver=Eg1l8cwwgE:E:E:w:EglPPCwwgC:88pP8cg18c&p=9.3.0.0&j=1.7.0.7&f=11.7.700.202
200 OK (text/html)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/js/deployJava.js
200 OK (application/x-javascript)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/j07.php?i=EglPPCww1p
200 OK (application/java-archive)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/load.php?e=g&ip=Eg1l8cwwgE
200 OK (application/octet-stream)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/index.php?id=5520563456
302 Found to http://www.adobe.com
</edit2>
Seems like it has been renamed FlashPack.
Safe Pack Renamed : FlashPack |
Little modification in the pattern :
FlashPack aka SafePack aka CritXPack |
GET http://62.76.188 .7/c1905hfosv/bods2903bue/index.php?id=5520563456
200 OK (text/html)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/js/js.js
200 OK (application/x-javascript)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/gate.php?ver=Eg1l8cwwgE:E:E:w:EglPPCwwgC:88pP8cg18c&p=9.3.0.0&j=1.7.0.7&f=11.7.700.202
200 OK (text/html)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/js/deployJava.js
200 OK (application/x-javascript)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/j07.php?i=EglPPCww1p
200 OK (application/java-archive)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/load.php?e=g&ip=Eg1l8cwwgE
200 OK (application/octet-stream)
GET http://62.76.188 .7/c1905hfosv/bods2903bue/index.php?id=5520563456
302 Found to http://www.adobe.com
</edit2>
Files:
SafePack_2pass_2013-04-20.zip (OwnCloud via Goo.gl)
Read More:
Meet CritXPack (Previously Vintage Pack) - 2012-11-12